Privacy Policy
Last updated: April 06, 2026
TestPath ("we", "us", "our") is a QA learning platform operated by Agustin Gottlieb. We are committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable privacy laws.
1. Data Controller
The data controller is TestPath, contactable at privacy@testpath.dev.
2. What Data We Collect
| Category | Data | Purpose | Lawful Basis |
|---|---|---|---|
| Account | Name, email, password (hashed) | Authentication & identification | Contract (Art 6.1.b) |
| Learning | Lesson progress, quiz answers, challenge submissions | Track learning progress, award XP | Contract (Art 6.1.b) |
| Payment | Stripe customer ID, subscription status | Process subscription payments | Contract (Art 6.1.b) |
| Profile | Bio, location, GitHub/LinkedIn URLs (optional) | Public profile, community features | Consent (Art 6.1.a) |
| Communications | Support tickets, feature suggestions | Customer support | Contract (Art 6.1.b) |
| Marketing | Email preferences, streak reminders | Retention emails (opt-in only) | Consent (Art 6.1.a) |
| Security | Masked IP address, login events | Fraud prevention, rate limiting | Legitimate interest (Art 6.1.f) |
3. How We Use Your Data
- Provide and improve the learning platform
- Process subscription payments via Stripe
- Send transactional emails (welcome, password reset, email confirmation)
- Send marketing emails only with your explicit consent
- Prevent abuse and ensure platform security
- Generate anonymized usage statistics
4. Data Processors (Third Parties)
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing | USA | DPA + Standard Contractual Clauses |
| Brevo | Email delivery | EU (France) | GDPR-compliant, EU-based processor |
| Hetzner | Server hosting + database backups | EU (Germany) | GDPR-compliant EU hosting, Object Storage in EU |
5. Your Rights (GDPR)
Under GDPR, you have the right to:
- Access your data — View your data dashboard
- Export your data in JSON format — Download your data
- Rectify your data — Edit your profile at any time
- Erase your data — Delete your account
- Restrict processing — Contact us at privacy@testpath.dev
- Object to marketing — Unsubscribe via email preferences or email links
- Data portability — Export your data in machine-readable format
- Withdraw consent — Update your preferences or delete your account at any time
6. Data Retention
- Account data: Retained while your account is active. Deleted upon account deletion request.
- Learning progress: Retained while your account is active.
- Security logs: Retained for 90 days, then automatically deleted.
- Support tickets: Retained for 2 years for legal compliance.
- Payment records: Retained by Stripe per their retention policy and applicable tax law.
7. Cookies
We use only essential session cookies to keep you logged in. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. No cookie consent is required for strictly necessary cookies under GDPR.
8. Children's Privacy
TestPath is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@testpath.dev.
9. International Transfers
Our infrastructure is primarily EU-based: Hetzner (Germany) for hosting and backups, Brevo (France) for email. Stripe (USA) processes payments under Standard Contractual Clauses (SCCs) as approved by the European Commission. All database backups remain in the EU.
10. Security
We protect your data with: HTTPS encryption in transit, bcrypt password hashing, HSTS headers, Content Security Policy, rate limiting, and access controls. Database backups are encrypted and stored in the EU.
11. Data Breach Notification
In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.
12. Contact & Complaints
For privacy requests: privacy@testpath.dev
You have the right to lodge a complaint with your local data protection authority. For Spain: Agencia Española de Protección de Datos (AEPD).
13. Changes to This Policy
We will notify you of material changes via email. Continued use of TestPath after changes constitutes acceptance of the updated policy.